libssh versions 0.6 and above have an authentication bypass vulnerability in
the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message
in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect
to initiate authentication, the attacker could successfully authentciate
without any credentials.

Yeah I think the hype is overblown, though it is a security hole nonetheless.

I was worried about two major ssh servers that actually run as root:
- OpenSSH, but this is standalone and does not use libssh
- Dropbear, and once again it has its own ssh implementation.

All other applications may use libssh but for client side connectivity and thus do not have root access. The reason why it still may be a problem is if these applications implement an internal server, which seems kind of pointless.

So, while it is a bug, this is not as big a story as it seems, at least for Gentoo. Can't say the same for other OS._________________Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSDWhat am I supposed watching?

Yeah I think the hype is overblown, though it is a security hole nonetheless.

I was worried about two major ssh servers that actually run as root:
- OpenSSH, but this is standalone and does not use libssh
- Dropbear, and once again it has its own ssh implementation.

All other applications may use libssh but for client side connectivity and thus do not have root access. The reason why it still may be a problem is if these applications implement an internal server, which seems kind of pointless.

So, while it is a bug, this is not as big a story as it seems, at least for Gentoo. Can't say the same for other OS.

In my opinion, the right attitude towards vulnerable softwares is to patch them as soon as possible no matter what damage it would cause.

In my opinion, the right attitude towards vulnerable softwares is to patch them as soon as possible no matter what damage it would cause.

It's a good attitude if you don't understand the bug, but it's also worth to step back and do an actual assessment of the issue at hand, and not make hasty moves that may cause unneeded panic.

Before I forget, thank you for posting about the bug, I had not seen it until you wrote about it. I really appreciate it._________________Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSDWhat am I supposed watching?